Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ4NTItdnJoNy0yOHJm
Reflected XSS in GraphQL Playground
Impact
directly impacted:
graphql-playground-html@<1.6.22- all unsanitized user input forrenderPlaygroundPage()
all of our consuming packages of graphql-playground-html are impacted:
graphql-playground-middleware-express@<1.7.16- unsanitized user input toexpressPlayground()graphql-playground-middleware-koa@<1.6.15- unsanitized user input tokoaPlayground()graphql-playground-middleware-lambda@<1.7.17- unsanitized user input tolambdaPlayground()graphql-playground-middleware-hapi@<1.6.13- unsanitized user input tohapiPlayground()
as well as any other packages that use these methods with unsanitized user input.
not impacted:
graphql-playground-electron- usesrenderPlaygroundPage()statically for a webpack build for electron bundle, no dynamic user inputgraphql-playground-react- usage of the component directly in a react application does not expose reflected XSS vulnerabilities. only the demo inpublic/contains the vulnerability, because it uses an old version of the html pacakge.
Patches
upgrading to the above mentioned versions will solve the issue.
If you're using graphql-playground-html directly, then:
yarn add graphql-playground-html@^1.6.22
or
npm install --save graphql-playground-html@^1.6.22
Then, similar steps need to be taken for each middleware:
Workarounds
Ensure you properly sanitize all user input for options you use for whatever function to initialize GraphQLPlayground:
for example, with graphql-playground-html and express:
const { sanitizeUrl } = require('@braintree/sanitize-url');
const qs = require('querystringify');
const { renderPlaygroundPage } = require('graphql-playground-html');
module.exports = (req, res, next) => {
const { endpoint } = qs.parse(req.url)
res.html(renderPlaygroundPage({endpoint: sanitizeUrl(endpoint) })).status(200)
next()
}
or, with graphql-playground-express:
const { expressPlayground } = require('graphql-playground-middleware-express');
const { sanitizeUrl } = require('@braintree/sanitize-url');
const qs = require('querystringify');
const { renderPlaygroundPage } = require('graphql-playground-html');
module.exports = (req, res, next) => {
const { endpoint } = qs.parse(req.url)
res.html(expressPlayground({endpoint: sanitizeUrl(endpoint) })).status(200)
next()
}
References
Credits
Masato Kinugawa of Cure53
For more information
If you have any questions or comments about this advisory:
- Open an issue in graphql-playground
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ4NTItdnJoNy0yOHJm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Identifiers: GHSA-4852-vrh7-28rf, CVE-2020-4038
References:
- https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
- https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7
- https://nvd.nist.gov/vuln/detail/CVE-2020-4038
- https://github.com/prisma-labs/graphql-playground#security-details
- https://github.com/graphql/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
- https://github.com/advisories/GHSA-4852-vrh7-28rf
Blast Radius: 37.4
Affected Packages
npm:graphql-playground-html
Dependent packages: 77Dependent repositories: 112,814
Downloads: 1,226,826 last month
Affected Version Ranges: < 1.6.22
Fixed in: 1.6.22
All affected versions: 1.3.5, 1.3.6, 1.3.11, 1.3.12, 1.3.13, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.17, 1.6.19, 1.6.20, 1.6.21
All unaffected versions: 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.6.28, 1.6.29, 1.6.30